Key Systems, Inc. (KSI), offers an object ("Asset") monitoring and locating Service via our AssetTracker smartphone app ("this Application") in conjunction with software on a Cloud Server, software and hardware under a Service Customer's control, and Bluetooth-enabled tags that can interact with a mobile device, such as User's smartphone, running this Application. Users are typically engaged by Customer in relationships, e.g. as employees or contractors, requiring User access to Assets owned by Customer, such as keys or equipment. Bluetooth-enabled AssetTracker tags attached to the Assets interact with the User's device upon checkout to allow this Application to monitor Asset location, Asset distance from device, and tag status. As a result, this Application collects Personal Data and passes some of it to the Cloud Server and/or Customer as part of the Service. KSI is not responsible for loss or theft of items tracked by AssetTracker tags, nor is KSI responsible for the handling of Personal Data by Customer, User, or any party other than KSI and any of its agents or affiliates contracted to handle such Personal Data. Definitions of terms used herein can be found in the section of this Policy entitled, "Definitions and Legal References."

Consent: Grant and Revocation
Clicking "Accept" on the "Background Location Access" pop-up during app set-up constitutes your explicit consent to the collection of Personal Data as described in this Privacy Policy, including location tracking, and to the terms of this Privacy Policy. You may revoke consent to the collection of Personal Data at any time by deauthorizing yourself and your device in this Application, bearing in mind that such revocation does not pertain to Personal Data collected prior to such revocation of consent. Simply deleting this Application is not sufficient to revoke consent; you must deauthorize to revoke consent.

Data Controller(s) and Owner(s)
     Key Systems, Inc. (KSI) – P.O. Box G, Fishers, New York, 14453, 800-888-3553, support@keystorage.com
     Service Customer (Customer) – Identity and contact information vary

Types of Data Collected
This Application collects Personal Data, by itself or through third parties, including: Cookies, E-Mail Data, Device Data, Usage Data, User Names, and Location Data, which are defined in "Definitions and Legal References," below. Other sections of this Privacy Policy may describe other Personal Data collected, and some Personal Data may be described contextually in dedicated text at the time of collection. Some Personal Data may be freely provided by the User, and other Personal Data may be collected automatically when using this Application, whether the Application is in the foreground or background.

Purpose of Collection
Any use of Personal Data, or of other tracking tools in connection with use of this Application, unless stated otherwise, serves to identify Users, verify Users, and remember Users' preferences, as well as to monitor and locate a Bluetooth tag device attached to an Asset for the sole purpose of providing the Service required by the Customer and/or User. Failure or refusal to provide or to allow collection of certain Personal Data may prevent this Application from providing its part in the Service, as well as inability of User to access to one or more Assets. The Customer and/or User assumes responsibility for the Personal Data of third parties published or shared through this Application by User and by such action(s) declare(s) to have the right to communicate or broadcast such information, thereby relieving the Data Controller of all responsibility therefor.

Method of Processing
The Personal Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. More specifically, the Personal Data is processed using a cloud-based Service, hosted on a Cloud Server, that maintains a Database on behalf of Customer. The cloud-based Service also interacts with Customer's existing installation of software produced by Data Controller, Global Facilities Management System (GFMS), which is installed and operated on hardware controlled by Customer. The Personal Data is used to verify and identify the User, to monitor the location of any tag monitored by the Application and its distance from User's device, to report circumstances or events as requested by Customer, to report various conditions of any tag being monitored by the Application, and/or to alert User of a potential loss of an Asset to which a monitored tag is attached.

Security
Data Controller shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of the Personal Data under its control, which shall not include Personal Data relayed to Customer once under Customer's control. In addition to the Data Controller, the Data may in some cases be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.

Place Processed
The Personal Data is processed at a facility hired by the Data Controller for the purpose of hosting the software providing the Service on a Cloud Server. Additional processing may occur at Customer's facilities, which are not under Controller's control and for which Controller is not responsible in any way.

Conservation Time
The Data is kept by the Data Controller for the time necessary to provide the Service requested by the Customer. Subject to restrictions imposed by law, the Customer, the Service Agreement between Customer and Data Controller, and the relationship between the Customer and the User, the User can request the Data Controller suspend Data Collection or remove Personal Data under Data Controller's control.

The Use of the Collected Data
The Data concerning the User is collected to allow the Application to furnish information required to provide the Service, and can include sending e-mail, push, and notification messages.

Customer Installation of KSI's Global Facilities Management System (GFMS)

GFMS is used by Customer to monitor and control access to Assets stored in KSI Security Asset Managers (SAMs) and related Asset storage hardware owned and/or controlled by Customer. Among other services, GFMS maintains a database of Authorized Users, Monitored Assets, hierarchical permissions assigned to Users and Assets, Events associated with Assets and Users, and Asset Location Data. User Personal Data, including Location Data, is used by the Service to generate Asset Location Data that is relayed to GFMS. GFMS also includes e-mail address management and message sending capabilities and interacts with the Cloud Server to generate notifications and/or messages on User's Device, as well as to send notifications to Customer personnel under certain conditions set by Customer.

Personal Data collected: GFMS UserID, GFMS-Associated User e-Mail Address, Location Data, Usage Data (e.g. Asset Transaction and Events).

Customer Asset Storage Hardware
Assets with tags are stored in hardware under Customer's control, which may include SAMs and related KSI products. It is also possible for tagged Assets to be stored in other ways under Customer's control. GFMS gathers tag and Asset information directly from tags or via storage hardware and relays some Data to the Service, which then relays some Data to the Application. In addition, Data collected by this Application may ultimately reach Customer's Asset storage hardware. Data Controller has no control over the Customer's Asset storage hardware.

Legal Action
User's Personal Data may be used for legal purposes by Data Controller in Court or in the stages leading to possible legal action arising from improper use of this Application or the related services.

Additional Information about User's Personal Data
In addition to the information in this privacy policy, this Application may provide the User with contextual information concerning particular services or the collection and processing of Personal Data.

System Logs and Maintenance
For operation and maintenance purposes, this Application and any third party services may collect files that record interaction with this Application (System Logs) or use for this purpose other Personal Data (such as IP Address).

Information Not Contained in This Policy
More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time at its contact information.

User Rights
Subject to restrictions imposed by the Customer, the Service Agreement between Customer and Data Controller, and the relationship between the Customer and the User, the User has the right, at any time, to know whether his or her Personal Data has been stored, as well as the contents and origin of the Personal Data, to verify accuracy or to ask for the Personal Data to be supplemented, cancelled, updated or corrected, to ask the Personal Data to be converted into an anonymous format, to block any of the Personal Data held in violation of the law, and/or to oppose the treatment of the Personal Data for any and all legitimate reasons, with the caveat that doing so may prevent this Application from providing the Service. Requests should be sent to Data Controller at the contact information set out above. This Application does not support "do not track" requests inasmuch as the whole point of the Service is to track and monitor Assets attached to tags in communication with User's device and to enable Customer to hold User accountable for such Assets' disposition.

Changes to This Privacy Policy
The Data Controller reserves the right to make changes to this privacy policy at any time by giving notice to its Users on this page. It is strongly recommended that the User check this page often, referring to the date of the last modification listed at the bottom. If a User objects to any of the changes to the Policy, the User must cease using this Application and can request the Data Controller to erase the Personal Data, Subject to restrictions imposed by the Customer, the Service Agreement between Customer and Data Controller, and the relationship between the Customer and the User. Unless stated otherwise, the then-current privacy policy applies to all Personal Data the Data Controller has about Users.

Information about This Privacy Policy
The Data Controller is responsible for this privacy policy.

European Users
For Customers monitoring Assets in the European Union, Controller hires GDPR-compliant Cloud Server facilities in the European Union. or elsewhere that have included the GDPR Model Clauses as set forth in European Commission Decision (EC Dec.) C(2010)593. This Privacy Policy constitutes a notice prepared in fulfillment of the obligations imposed by Article 12 of Regulation (EU) No. 2016/679 and is solely about this Application and the associated Service. Controller does not employ a Data Protection Officer, nor does Controller have an E.U. representative. User has a right to lodge a complaint with an appropriate Supervisory Authority, such as the European Data Protection Supervisor (https://secure.edps.europa.eu/EDPSWEB/) through which User can learn how to/with what body User should file a complaint. The provision of the Personal Data is a contractual requirement for providing the Service(s); conversely, failure to provide the Personal Data will prevent User's access to Assets monitored by the Service(s). Automated decision-making is employed with regard to Asset use per any restrictions imposed upon User's access, which may result in sending notifications to authorities in Customer's organization, such as when contact with a monitored Asset is established/lost, when an Asset enters/leaves a particular area or is overdue for return, when an Asset tag battery has reached a particular level of charge, and the like.

Intellectual Property
The Service and its original content, features, and functionality are and will remain the exclusive property of Key Systems, Inc., and its licensors, protected by copyright, trademark, patent, and/or other laws of the United States and other countries. Prior written consent of Key Systems, Inc., is required for use of KSI's trademarks and trade dress in connection with any product or service.

Links to Other Web Sites
This Application and/or the Service may provide links to third party web sites or services that are not owned or controlled by Key Systems, Inc. Key Systems, Inc., has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services, nor does Key Systems, Inc., warrant the offerings of any of these entities/individuals or their websites. User acknowledges and agrees that Key Systems, Inc., shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any content, goods or services available on or through any such third party web sites or services. Key Systems, Inc., strongly advises User to read the terms and conditions and privacy policies of any third party web sites or services visited.

Definitions and Legal References

Personal Data (or Data)
Any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, or an online identifier (such as a User Name), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In addition, for at least the purposes of the Model Clauses of EC Dec. C(2010)593, 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

This Application
The KSI AssetTracker application, a software tool that may collect Personal Data to provide services described above.

Device
A smartphone or other computing device on which this Application is installed and/or runs, whether owned by User or another party and operated by User.

User
The individual using this Application, which must coincide with or be authorized by the legal or natural person to whom the Personal Data refer (the Data Subject).

E-Mail Data
Includes User-supplied e-mail address(es), as well as authorization, and confirmation messages sent to the User's e-mail account(s). This may also include dates and times of viewing, reading, deleting, or otherwise manipulating such messages and/or their content, such as links in the messages.

Device Data
Includes a unique device ID created by this Application, as well as platform and other device information needed to perform the Service.

Usage Data
Information collected automatically from or on behalf of this Application, which can include: name/attributes of computer network(s) to which the Device connects; identifiers of Assets User is authorized to check out; events regarding Assets checked out to User; IP addresses/domain names of the Device hosting this Application and/or computers or other devices used by Users of this Application; Uniform Resource Identifiers (URIs) used to submit requests to a server(s), as well as time/method of submission, the size of any file received in response, any numerical code representing the status of a server's answer (successful outcome, error, etc.), the country of origin of the request, operating system of the Device, various time details per visit (e.g., the time spent on each page within the Application) and details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

User Name (or User ID)
An identifier by which the User is known to a computer-implemented system, such as KSI's GFMS, a facilities maintenance system, an access control system, an e-mail service provider, or other service provider, for the purposes of authorization and/or access, particularly in conjunction with a password, challenge question(s), security token, and/or other authorization tools.

Data Controller (or Application Owner, or Owner)
The natural person, legal person, public administration, or any other body, association or organization with the right, also jointly with another Data Controller, to make decisions regarding the purposes, and the methods of processing of Personal Data and the means used, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application. For the purposes of EC Dec. C(2010)593, this is also the Data Exporter where the Personal Data is transferred by Controller out of the EU and/or the Data Importer where Controller transfers the Personal Data into the EU.

Data Processor
A natural person, legal person, public administration, or other body, association or organization authorized by the Data Controller to process the Personal Data in compliance with this privacy policy.

Cookie
A small piece of data stored in the User's device, typically as a result of using a web browser to access a web page, but also used in other contexts.

Last modified 23 February 2022